Active breach tracker Chicago, IL Disclosed January 15, 2026

Continental Casualty (CNA) Data Breach 2026: 6,086 Illinois Policyholders Exposed. Separate From 2021 Phoenix CryptoLocker. What To Do

Continental Casualty Company (CNA), the insurance subsidiary of CNA Financial Corp., disclosed an October 2024 intrusion of external systems (discovered January 2025) affecting 6,086 individuals in Illinois. Distinct from the 2021 Phoenix CryptoLocker ransomware. 12 months Epiq identity-monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 21, 2024

Unauthorized access to CNA external systems

Jan 13, 2025

CNA discovers the intrusion (~12-week dwell time)

Apr 1, 2025

Individual notification letters sent Q1-Q2 2025

Jan 15, 2026

HHS OCR portal posting (Illinois, 6,086 affected)

Data exposed

01

High-risk identity

Enables financial + identity theft

Likely Social Security number

03

Contact & insurance

Phishing + targeted scams

Full name Policy / health-benefit information (specifics not enumerated in publicly indexed letter copies)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Srourian Law Firm (publicly investigating) Console & Associates (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Continental Casualty Company (CNA) is the insurance subsidiary of CNA Financial Corp., headquartered at 151 N. Franklin Street in Chicago, Illinois. CNA’s portfolio includes long-term care insurance, group benefits, and professional liability — lines that bring CNA under HIPAA as a covered entity / business associate.

On October 21, 2024, an unauthorized actor accessed CNA’s external systems. CNA discovered the intrusion on January 13, 2025 — a roughly 12-week dwell time. Individual notification letters were mailed in Q1-Q2 2025. The HHS OCR breach portal lists 6,086 affected individuals in Illinois under a 2026 filing.

This incident is separate from the 2021 Phoenix CryptoLocker ransomware attack that hit CNA Financial directly (reportedly settled with a ~$40M ransom payment, ~75,000 individuals affected). The 2021 event was a network-encryption ransomware compromise; the 2024-2025 incident is a distinct intrusion of “external systems.”

No threat actor has publicly claimed responsibility. No ransomware leak-site listing has been observed.

Separately, the New York Department of Financial Services issued a Consent Order to CNA Insurance Group on December 22, 2024 for cybersecurity-regulation compliance issues — that order relates to earlier compliance posture, not specifically to this 2024-2025 breach.

What was stolen

Public notification letters describe the incident as “Notice of Data Breach” but specific data-element enumerations are not exposed in publicly indexed copies. Based on CNA’s portfolio (long-term care, group benefits, professional liability), the exposure likely includes:

  • Full name
  • Social Security number (likely)
  • Policy / health-benefit information

OCR’s classification of this filing as a HIPAA breach implies PHI was involved.

What CNA is offering

  • 12 months of complimentary identity-monitoring service through Epiq

What to do

  1. Enroll in Epiq monitoring through the activation code in your letter.
  2. Place free credit freezes at all three bureaus.
  3. File IRS Form 14039 if your SSN was in scope.
  4. Read your specific notification letter to confirm what data elements were involved in your case — public disclosures are sparse for this incident.
  5. Stop the ongoing flow of your insurance-data PHI. HealthConsent files HIPAA restriction requests covering long-term-care and group-benefit insurance data flows.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.